Wednesday, August 2, 2017

VPN – asymmetric traffic

Recently I worked on one problem related with asymmetric VPN traffic.
It was caused by misconfiguration of encryption domain. We fixed the
problem and I would like to document the scenario. My previous post is
about my first python script which helped to find issues, more details here.

Traffic from 10.1.1.0/24 and 10.1.2.0/24 should go through VPN tunnel set up between two ASAs: ‘asaC’ and ‘asaD’

This is an access list I created. They were implemented in the same
way (order too!). As you see there are many overlapping entries (host
are overlapped by subnets, subnets are overlapped by another subnets):

The 2nd scenario also contains differences between devices but traffic can pass through. Definition of encryption domain can’t contain any overlapping
entries. When the same IP is matched by more than one entry it may cause
problem like this described above. Traffic from right to left
(rB->rA) can’t pass through but from right to left (rA->rB) can. All access lists should be reviewed and modified if necessary. To speed the process of reviewing ACLs I wrote a script in python which automate the reviewing process.